Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Douyin Video Transcriber
v1.0.0(已验证) 强大的抖音视频批量转写器,集成了下载、音频提取和本地 Whisper 模型转写功能。
⭐ 0· 71·0 current·0 all-time
byan@ahsbnb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, SKILL.md and scripts/run.py are coherent: the code downloads Douyin videos from TikHub, extracts audio with ffmpeg, and transcribes locally using openai-whisper. However the registry metadata claims no required config paths or env vars while the code requires a tikhub_api_token (in ~/.openclaw/config.json or env TIKHUB_API_TOKEN). The skill also expects an .openclaw root (searching up to 5 parent dirs then falling back to ~/.openclaw) which was not declared in the metadata.
Instruction Scope
SKILL.md and the script scope are narrowly focused on downloading, extracting, and transcribing. The instructions explicitly ask the user to put tikhub_api_token into ~/.openclaw/config.json; the code reads that config file and writes output into OPENCLAW_ROOT/workspace/data/video-transcriber. The only external network calls are to the TikHub API and to video play URLs. Minor concern: the code searches parent directories for a directory containing config.json and a skills directory — it will read an OpenClaw config.json it finds, so users should ensure that file doesn't contain unrelated secrets.
Install Mechanism
No install spec (instruction-only with an included script). Dependencies are typical (python, requests, openai-whisper, ffmpeg). Nothing is downloaded or executed from arbitrary URLs by an installer step.
Credentials
The runtime requires a TikHub API token (tikhub_api_token) provided either in ~/.openclaw/config.json or via TIKHUB_API_TOKEN, but the registry metadata lists no required env vars or config paths — this mismatch is a packaging/information risk. Aside from that single token, the script does not request additional credentials. Users should verify the token's scope and avoid storing unrelated secrets in the same config file.
Persistence & Privilege
The skill is not always-enabled and does not alter other skills or system-wide settings. It writes reports to OPENCLAW_ROOT/workspace/data/video-transcriber and temporary files in the system temp directory (which it cleans up). It runs locally and uses local Whisper models; no privileged system changes observed.
What to consider before installing
This skill appears to implement the advertised workflow, but take these precautions before installing:
- The script requires a TikHub API token (tikhub_api_token). The registry metadata did not declare this — you must either add tikhub_api_token to ~/.openclaw/config.json or set TIKHUB_API_TOKEN in your environment. Verify the token's origin and permissions before storing it.
- Review the contents of any ~/.openclaw/config.json the skill will read. The script searches for an OpenClaw root (up to 5 parent directories from the skill location, then ~/.openclaw) and will read that config file; do not keep unrelated secrets there.
- ffmpeg and the Whisper Python package are required and run locally; Whisper models can be resource- and disk-intensive — ensure your machine has sufficient resources.
- The skill's listed source/homepage are effectively placeholders and the publisher is unknown; if you need stronger assurance, request the original upstream repository or a signed release and manually review scripts/run.py (which you have here).
- If you are uncomfortable placing a third-party token in your OpenClaw config, consider running this in an isolated environment/container or creating a dedicated OpenClaw config with only the TikHub token.
Given the metadata omissions and unknown origin, proceed only after verifying the token, config file contents, and author/source.Like a lobster shell, security has layers — review code before you run it.
latestvk977gkxddhnmwjqyzv06zscakx83k3b6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.